DC East conference themes focus on litigation, regulation, cybersecurity threats

Litigation, regulation, legislation and some consternation emerged as dominant themes at the annual Pensions & Investments' East Coast Defined Contribution Conference, held March 1-3 in Miami.

Several speakers said the best way to reduce the risk of being sued or being called on the carpet by the Department of Labor was to make sure their DC plans develop clear policies and then follow them.

“ERISA doesn't demand perfection,” said Richard P. McHugh, a Washington-based partner in the law firm of Porter Wright Morris & Arthur LLP.

Because few investments will be considered bad on their face under ERISA, Mr. McHugh said plans' disclosure practices and review procedures take on great significance. DC plans get into difficulty when they don't establish clear procedures and/or don't follow the procedures they have created, said Mr. McHugh, one of the speakers on a panel about fees and investment decision-making.

Mr. McHugh said the baseball player Yogi Berra once provided important advice that should apply to fiduciaries: “You've got to be very careful if you don't know where you're going because you might not get there.”

DC experts said one key element to pursuing prudence is the investment policy statement, which can be both a helpful guide to sponsors' plan administration but which can also create some traps.

“Make sure you do what you say,” said Marla Kreindler, a Chicago-based partner at law firm Morgan Lewis & Bockius LLP, and a speaker on a panel about recent litigation.

Her clients were reviewing investment policy statements with an eye toward streamlining. “We talk to clients about what is helpful and what is unnecessary,” Ms. Kreindler said.

In an informal poll taken at the litigation panel session, DC executives in the audience were asked if they had an investment policy statement. Eighty percent said yes; 10% said no and 10% said they weren't sure.

DC consultant Lori Lucas, who also spoke at the litigation panel, said investment policy statements are a “very helpful guideline,” but they must strike a balance between being comprehensive and being too detailed. “You don't want two pages, but you don't want 30 pages,” said Ms. Lucas, the Chicago-based executive vice president and defined contribution practice leader for Callan Associates Inc. She recommended that these statements be reviewed annually.

As an example of litigation causing consternation, Ms. Lucas referred to the recent Supreme Court decision, Fifth Third Bancorp et al. vs. Dudenhoeffer et al., striking down the presumption of prudence, a legal principle that many federal district courts and appeals courts had invoked in so-called stock-drop cases. DC plans and providers often cited this principle to successfully defend participants' claims that their administration of company stock funds in retirement plans represented a breach of fiduciary duties when the stock fell.

Although the Supreme Court offered some guidelines for lower courts to evaluate in dealing with stock-drop lawsuits, Ms. Lucas said she detected “a lot more angst” among clients since the Supreme Court ruling.

Attorney James O. Fleckner said the Fifth Third case leaves the stock-drop arena “more muddled today” than before the Supreme Court's decision. The only way to assess a trend will be when lower courts make rulings based on the Supreme Court's guidelines, said Mr. Fleckner, a Boston-based partner at law firm Goodwin Procter LLP.

Mr. Fleckner said he didn't expect much guidance from the Supreme Court on its next big ERISA decision — the case of Tibble et al. vs. Edison International Inc. et al. Oral arguments were held in February, and a decision is expected in the next few months regarding the ERISA statute that limits fiduciary breach lawsuits to a six-year period.

Participant plaintiffs prevailed in a federal appeals court ruling that said Edison breached its fiduciary duties when it chose some retail-priced mutual funds over institutional funds that were added to a 401(k) lineup less than six years after participants sued. But the court rejected the fiduciary breach claim for other retail mutual funds added to the plan more than six years before the suit was filed.

Regardless of the lawsuits, there's “no room for excuses” among DC plan executives when they evaluate investment options and fees, said Ross Bremen, a partner at the DC consulting firm NEPC LLC, Boston. “There are fewer hurdles” for sponsors to measure fees and services.

While speakers on various panels were discussing the fine points of plan practices, David Levine, a Washington-based principal at Groom Law Group, was looking for a broader view — of possible legislation and regulation — in his role as the conference's closing session keynote speaker.

Although there's plenty of talk about what Congress and regulatory agencies might do, Mr. Levine said sponsors and providers should pay attention to “regulation through enforcement,” such as Labor Department lawsuits against DC industry members.

“It's not all about regulation,” said Mr. Levine, referring to the Labor Department's petitions in lawsuits about what it believes is the right path to follow under ERISA.

Pay close attention to the DOL's requests for information, Mr. Levine added, citing as an example the department's RFI in August 2014 about self-directed brokerage windows. There's no formal proposed rule yet, but the department's asking of 39 questions about brokerage windows provides a good idea of what it is thinking, he said. “These questions play into (issues of) enforcement and monitoring,” he said.

The RFI, he added, “is a learning tool” that, in effect, asks sponsors to look at their internal processes to see if they are in line with the DOL's beliefs.

While pondering what Congress, the DOL or the Treasury Department might do, sponsors and providers were exhorted to act decisively to protect participants' data during a panel discussion on cybersecurity.

Panelists told the audience that their systems can be vulnerable in numerous ways. William Stewart, senior vice president at consulting firm Booz Allen Hamilton Inc., McLean, Va., said vulnerability exists because all institutions and businesses have automated so many processes on top of an Internet that was never designed to be secure. Therefore, those who want to get into a system have the advantage.

“You have to be prepared for an incident before it occurs,” Mr. Stewart said.

Chris Jarmush said the DC market isn't a primary target for cyberfraud — yet; but he cautioned that a data breach affecting the industry is likely. Mr. Jarmush, based in Washington, is area vice president and defined contribution practice leader at Arthur J. Gallagher & Co., a brokerage firm offering commercial insurance, employee benefits and risk management services.

He also raised the question of whether a financial hardship caused to plan participants by a data breach in their DC plan could raise fiduciary issues. “ERISA never contemplated this,” Mr. Jarmush said.

Organizations must maintain strong password practices and device security; have policies for accessing their networks from public places; have procedures for dealing with loss of hardware, disposal of devices and use of mobile technology, said Raj Patel, a Southfield, Mich.-based partner at accounting and advisory firm, Plante & Moran PLLC. They also must have in place an incident response plan, incident response team and a hotline phone number to reach the data breach team.

Keith Overly, executive director of the Ohio Deferred Compensation Program, Columbus, said the potential cost of a cybersecurity breach to his plan could be very expensive. If the plan experienced a breach, it might have to pay for a year of credit monitoring services for all participants.

While pondering what Congress, the DOL or the Treasury Department might do, sponsors and providers were exhorted to act decisively to protect participants' data during a panel discussion on cybersecurity.

Panelists told the audience that their systems can be vulnerable in numerous ways. William Stewart, senior vice president at consulting firm Booz Allen Hamilton Inc., McLean, Va., said vulnerability exists because all institutions and businesses have automated so many processes on top of an Internet that was never designed to be secure. Therefore, those who want to get into a system have the advantage.

“You have to be prepared for an incident before it occurs,” Mr. Stewart said.

Chris Jarmush said the DC market isn't a primary target for cyberfraud — yet; but he cautioned that a data breach affecting the industry is likely. Mr. Jarmush, based in Washington, is area vice president and defined contribution practice leader at Arthur J. Gallagher & Co., a brokerage firm offering commercial insurance, employee benefits and risk management services.

He also raised the question of whether a financial hardship caused to plan participants by a data breach in their DC plan could raise fiduciary issues. “ERISA never contemplated this,” Mr. Jarmush said.

Organizations must maintain strong password practices and device security; have policies for accessing their networks from public places; have procedures for dealing with loss of hardware, disposal of devices and use of mobile technology, said Raj Patel, a Southfield, Mich.-based partner at accounting and advisory firm, Plante & Moran PLLC. They also must have in place an incident response plan, incident response team and a hotline phone number to reach the data breach team.

Keith Overly, executive director of the Ohio Deferred Compensation Program, Columbus, said the potential cost of a cybersecurity breach to his plan could be very expensive. If the plan experienced a breach, it might have to pay for a year of credit monitoring services for all participants.